Full Disclosure mailing list archives
Re: Re: Tools accepted by the courts
From: "KF (lists)" <kf_lists () digitalmunition com>
Date: Tue, 05 Jul 2005 09:50:39 -0400
Has anyone seen legal arguments made about the use of Sleuthkit vs. eNcase? Any comments that would make one lean toward using either one?
-KF Lauro, John wrote:
Problem with prosecution... Most X-Rays will not damage most hard drives. Hard drives are shielded. Proof of no mutation is the checksums on each sector of the hard drive. Unless those fail to pass, the data didn't "mutate".-----Original Message----- From: full-disclosure-bounces () lists grok org uk[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Gaurav Kumar Sent: Tuesday, July 05, 2005 8:50 AM To: full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] Re: Tools accepted by the courts i wish to share what happened in real life- the lawyer shows proofs of the hacking done. the judge say "ok" the defense guy asked, is this proof passed through the x-ray detectorofairport while the proof was shipped. "yes" was the obvious reply. defense lawyer continued .."since this proof has passed thru xrays, there are chances that it might have been mutated" by the rays. the defendant wont having benefit of doubt. regards, gaurav On 7/5/05, Jason Coombs <jasonc () science org> wrote:Evidence Technology wrote:That era is quickly fading. Going forward, I think we'll seemoreand more digital evidence rendered inadmissible via failure to adhere to established evidentiary standards.Jerry, No way. What 'evidentiary standards' are you talking about here? I'm sorry but that's just absurd. How will there ever be'evidentiarystandards' on the contents of my filing cabinet and my personal pornography collection? The police find the data where they find it. That's called 'circumstantial evidence' and digital evidence will always betreatedexactly as such no matter who we successfully convince of theflawsinherent in the filing cabinet or printed document/glossyphotographanalogy. What I demand to hear spoken by law enforcement, and what I insist prosecutors compel law enforcement to speak if they don'tvolunteerthese words out of their own common sense, is the following: "Yes, that's what we found on the hard drive but there's little ornoreason for us to believe that the defendant is responsible forplacingit there just because the hard drive was in the defendant'spossession.We often see cases where hard drives are installed second-hand anddatafrom previous owners remains on the drive, we can't tell when thedatain question was written so it's important to be aware thathundreds ofother people could have placed it there. We also see cases where software such as spyware or Web pages full of javascript force a suspect's Web browser to take actions that result in theappearance thatthe owner of the computer caused Internet content to be retrievedwhenin fact the owner of the computer may not have known what washappening,malicious Web site programmers know how to use techniques such as pop-unders and frames to hide scripted behavior of Web pages. Furthermore, once the Web browser is closed and its temporaryfiles aredeleted, every bit of data that was saved 'temporarily' to a fileby thebrowser becomes a semi-permanent part of the hard drive'sunallocatedspace and we have no way to tell the difference between data thatwasonce part of a temporary file created automatically by a Web pagebeingviewed or scripted inside a Web browser and the same data placed intentionally on the hard drive by its owner without the use oftheInternet. Also ..." Disrespectfully Yours, (with extreme prejudice born of intense frustration due to thefactthat nobody cares about getting this stuff right when it's so much easier just to collect a forensic paycheck and move on to the next victim -- I would like to think you are part of the solutionrather thanbeing part of the problem but you're talking nonsense and so isnearlyeveryone else in the computer forensics field, most especially the computer forensics vendors who need people to love them in orderto maketheir businesses grow. They do not deserve respect and they most certainly fail the 'lovable' test, but television shows like CSIandvisions of fat bank accounts have deceived everyonetemporarily...)Please get a clue before you hurt somebody. Jason Coombs jasonc () science org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Tools accepted by the courts Jason Coombs (Jul 05)
- Re: Re: Tools accepted by the courts Gaurav Kumar (Jul 05)
- Re: Re: Tools accepted by the courts Paul Schmehl (Jul 05)
- Re: Re: Tools accepted by the courts Valdis . Kletnieks (Jul 05)
- <Possible follow-ups>
- RE: Tools accepted by the courts Craig, Tobin (OIG) (Jul 05)
- RE: Tools accepted by the courts Evidence Technology (Jul 05)
- Re: RE: Tools accepted by the courts Nick FitzGerald (Jul 05)
- Re: RE: Tools accepted by the courts pingywon (Jul 05)
- Re: RE: Tools accepted by the courts Eric Paynter (Jul 05)
- RE: Tools accepted by the courts Evidence Technology (Jul 05)
- RE: Re: Tools accepted by the courts Lauro, John (Jul 05)
- Re: Re: Tools accepted by the courts KF (lists) (Jul 05)